Internet is the fastest growing medium in history. Internet revolution really took off in 1994, when the first commercially available Web browser, Netscape Navigator 1.0, was released (November 1994). The Web browser became a user-friendly interface to access the information located on a worldwide network of computers from any remote computer. This graphical user interface converted the Internet into a World Wide Web. The global Internet user population continues to grow exponentially. It is projected that by the year 2002, 800 million users will be surfing the Web. Businesses are moving faster than ever to this brand new Internet medium. The Internet demographics are a marketers dream. Net users are young, well educated and earn high incomes. E-commerce is fast emerging as the wave of the future. Major consumer companies are adapting their businesses to e-commerce. Banking transactions on the Internet are fast catching up. Corporate houses are creating Intranets, Extranets and Virtual Private Networks (VPNs) to make their databases available to their employees and select clients to maximise productivity.
As much as the Internet is growing, the use of Web Applications for remote data access is increasing. With the increase in use of Web Applications, concerns for security on the Internet are growing. Today's Internet security practices are not enough to stop Web Application intrusion or prevent hackers from stealing digital property—from sensitive customer data to confidential corporate information. Hacking a user ID and password or a credit card details, while the user enters the information on the Web, is not a very difficult proposition for an expert hacker. Security concerns are hurdles to the growth of online transactions.
As companies worldwide sell their products and services to consumers over the Internet, the business-to-consumer electronic-commerce market is expected to jump to $380 billion in 2003, up from an estimated $31.2 billion in 1999. Having learned from the experiences of their U.S. counterparts, more and more “brick and mortar” retailers around the world are beginning to sell their wares online. In 2003, the U.S. market is expected to be $147 billion, less than half of the expected worldwide total. A lot of that non-U.S. growth will occur in Europe, where online sales to consumers are expected to grow from $5.4 billion in 1999 to more than $115 billion in 2003.
E-Commerce has been a major thrust behind the proliferation of the Internet, particularly the World Wide Web. This has led to the integration of traditional payment methods into Internet-related technologies, particularly to be used over the Web.
Credit card frauds are on the rise. This is primarily on account of the online transactions. The familiar plastic currency was designed to be physically handed over to merchants, who could at least make a cursory check to see if signatures on the card and the sales slip matched. Online, commerce is anonymous. There is no way to see who's entering the credit card numbers on the Web page, an anonymity that heavily favours the fraud artists. The stakes are higher for merchants than consumers. While consumers face a limited liability of $50 and a paperwork hassle, online merchants must write off credit card theft as “acceptable loss.” Hard data on how bad losses are, is impossible to find, but anecdotally some industries relate fraud rates as high as 40 percent. Merchants use inexact software to filter out potential fraudulent purchases, but that means they turn away legitimate sales, too.
One can classify credit card payment on online networks into following categories:                1. Payment using plain credit card information—The easiest method of payment is the exchange of (unencrypted) credit cards over a public network such as telephone lines or the Internet. The low level of security inherent in the design of the Internet makes this method problematic. Authentication is also a problem as the merchant is usually responsible to ensure that the person using the credit card is its owner.        2. Payment using encrypted credit card information—Encrypting credit card information is a solution to the problems inherent in 1. However, one concern here is the cost of the transaction itself, which could prohibit low-value payments (micropayments).        3. Payment using third-party verification—One solution to security and verification problems in the introduction of a third-party, such a company that collects and approves payments from one client to another. After a certain period of time for processing, one credit card transaction for the total accumulated amount is completed.        
Traditional cryptography has usually involved the creation and sharing of a secret key for the encryption and decryption of messages. This secret or private key system has the significant flaw that if the key is discovered or intercepted by someone else, messages can easily be decrypted. For this reason, public key cryptography and the public key infrastructure (PKI) has been the preferred approach for a very high security need on the Internet. However PKI is only practicable in a limited use Intranet scenario, for a very high security classified access, on account of its limitation in economy and convenience of execution on a mass scale. Moreover such keys are software algorithms, ensuring no guarantee that the user is authentic user. A hard key ensures highest level of security. However the architecture of the present day PCs does not provision the use of a user specific hard key for online transactions.
Several technologies hope to discourage the thieves by implementing systems that require some real-world physical component when shopping online. Smart cards, the generic term for any plastic which includes an embedded microchip, are one promising solution. Such smart cards encode the biometric data related to the user. Smart cards, which identify the user through encrypted information embedded on the chip, must be inserted into a “card reader” attached to the computer. That means the card can't be used for e-commerce unless the purchaser is currently holding it, and has a card reader device to read it. A PIN number is also required, so a thief needs to physically have the card and a security code in order to use it. That's a hurdle for an unauthorized user, more difficult one than using “a number and a date.”
Furthermore, any smart card-based system will cost significantly more than the current magnetic stripe card systems currently in place. A PIN smart card costs perhaps $3, and a biometric smart card will cost $5. In addition, each station that currently accepts existing cards would need a smart card reader, and if live biometrics are required, a biometric scanner will also have to be attached to the reader as well.
It is envisioned that in addition to storing credit and debit account numbers and biometric or PIN authentication information, smart cards may also store phone numbers, frequent flyer miles, coupons obtained from stores, electronic cash usable at tollbooths and on public transit systems, as well as the users name, vital statistics, and perhaps even medical records.
Still, smart cards are 20 years old, and while there have been some level of adoption in Europe, trials of the technology in the U.S. have failed repeatedly. Consumers perceived them as inconvenient, and in the past they have been unmoved by the improvement in security. The costly price tag warrants the developers to look for additional applications of the smart card beyond simple banking and debit needs. Obviously, every consumer will not be willing to buy a card reader. However every computer these days comes with a 3.5 floppy drive and an Optical Disk Drive (ODD) such as CD ROM/DVD drive, as standard. These are the data input devices, which cannot be normally used for reading a smart card, because they allow viewing, copying and editing of the source data files.
Although user authentication using a hard key or a smart card will ensure secure transactions on the Web, it is not practical for every user to have a reading device to enable these chip based biometric approaches. And it is not an economically viable proposition for the credit card industry to instantly replace the current magnetic stripe cards by smart cards, which have a several fold higher price tag. Hence, in spite of known security protocols, intrusion is easily possible for an experienced hacker by using any Web browser.